It continues to frustrate me that publications such as this recent white paper from the Microsoft EMS (Enterprise Mobility and Security) team still underplay the need for organisations to get their on-premises identity management under control before turning on AAD Connect. Statements like the following:

“… our organizations have long used on-premises identity management technologies such as Microsoft Active Directory”

” Your users’ identities can still come from your own directory service—you’re still in control …”

seem to imply that of course you control your own AD today. Last I heard AD was an identity technology, but an identity management technology??? Can anyone really be in control of their on-premises directory service without some form of identity life-cycle management in place beyond the ADUC console itself?

Fellow Adelaide MVP Adam Fowler pointed me at a product called Softerra Adaxes, and explained how he is using this to centralise his business rules for managing identity lifecycles – but directly to AD via a nifty browser-hosted web application. This adds the missing “smarts” (as he likes to call them) that are missing natively from the AD platform. On a small scale, with only a few hundred employees, Adam is able to ensure that only people in his organisation with current access entitlements are able to authenticate to his systems, and securely access resources on his company’s network. I would still like to see him wire up his company’s HR system as a source of truth (SoT) for not only employee identity data, but also joiner/mover/leaver events. That said, the checks and balances he puts in place enforce ongoing compliance, if not quite the continuous compliance I can achieve with say a MIM2016 implementation. If only every SMB had someone like Adam taking care of things – but what of the rest?

In my role as IAM solution architect and implementer over the last decade, working predominantly with Microsoft Identity Manager (and its various predecessors), I have come to appreciate that what we now refer to as “on-premises” IAM solutions are starting to lose their appeal. Yet don’t be fooled! Just because you might choose to run your IAM platform either wholly or in part from a cloud platform such as OKTA or SailPoint, the Microsoft “Hybrid Identity” model (supported by AAD Connect) is still very much dependent on the integrity being enforced first and foremost in your on-premises directory, which for the most part continues to be Microsoft AD.

You may have heard about HR-driven identity management in Azure with WorkDay, whereby AAD accounts are provisioned directly from a WorkDay feed. But what you might not know is that this does not work in a hybrid scenario – whereby a “thin agent” is required to provision to the on-premises AD first, from where AAD Connect kicks in and provisions to AAD. This remains the ONLY supported hybrid model today for not only WorkDay but every HR-driven scenario … you have to manage the on-premises directory first.

For all those organisations who have invested in an on-premises IDM solution, announcements like the Azure AD and SailPoint collaboration this week should only reinforce how fortuitous it is that you are now in a position to reap the rewards of doing so. Some might try to tell you that you are now being left behind on a legacy platform, but why “throw out the baby with the bathwater”? With Microsoft’s investment in what happens downstream of your AD (either directly or via AAD Connect when via the cloud), you can continue leverage your existing investment that puts you “in control of your own directory services”. The only thing you now should consider is whether or not to extend that platform in a downstream sense to do something that now makes more sense in the cloud.

For those organisations which have NOT yet made such an investment, you are now in a better position than ever to make up on lost ground:

Microsoft now grants free use of the MIM2016 synchronisation service with a Windows Server platform license, reducing the capital outlay on a traditional on-premises solution for the larger more complex enterprises who want to leverage what remains Microsoft’s endorsed on-premises IAM platform;

UNIFY provides an SaaS option for the SMBs who want to harness the power of an enterprise grade solution for a fraction of the cost, or instead you may want to consider the Adaxes style approach; and

2 Responses to Active Directory is NOT an IdM Technology (without #MIM2016 or similar)

Good article Bob. The use of AD as the IDM product leads to what I call a “market-place” AD. Lots of cooks, lots of OUs, lack of uniformity, support calls up the roof. It is not what the product was designed for and companies realize that when its time to go to the cloud. Help, fix my AD….simple, get an IDM product (preferrably MIM of course), it is a solid part of the foundation of a good AD design. If the AD identity is not well managed from an authoritative source, then cracks will begin.

Just to mention that Adaxes is not a web-based solution. Web UI is just one of the clients for the Adaxes Service.

This means that wiring up an HR system as a SoT for joiner/mover/leaver events is very easy. You can either use the SPML provider that is a part of Adaxes, or use the SDK (http://www.adaxes.com/sdk/) to connect to the HR system in whatever other way you like.

Adaxes’ automation rules for something like joining, updating or deprovisioning a user can be triggered either by user input via web UI or an event provided by the HR system (or in fact any other client). So it’s absolutely valid scenario to use Adaxes in conjunction with an HR system.